Hell froze over.

[Vic Dura]

Had I been aware of this vulnerability, I would never have formatted my
drive as NTFS.

John,

Several months ago I made the move (kicking and screaming) to XPpro
from Win98se. I too chose NTFS, and after several months I'm sorry I
did. What I particularly don't like about it is not being able to use
a DOS boot floppy or CD to get access to the hard drives. I wasn't
aware of the vulnerability you mentioned, but that's another reason.

There are probably advantages to NTFS in a large networked environment
with many PCs and professional system administrators, but for my
situation with just 3 PCs on a home network, those advantages aren't
useful. If I had to do it all over again, I would stick with FAT-32.

 

[CharlieDontSurf]

There are probably advantages to NTFS in a large networked environment
with many PCs and professional system administrators, but for my
situation with just 3 PCs on a home network, those advantages aren't
useful. If I had to do it all over again, I would stick with FAT-32.

FWIW, I have a single PC with 2 drives of identical make, model and
size. All partitions are NTFS, save a large FAT32 partition on the
secondary drive.

Accessing the FAT32 partition is always accompanied with the loud
extended clatter of disk head repositioning. The NTFS partitions in
contrast, are markedly quieter and faster. Spinup from powerdown is also
noisier and longer on the second drive.

This is of course, anecdotal, from a sample size of one, but it seems to
me that FAT32 can cause more wear on a drive. Something to consider when
choosing filesystems. YMMV.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

http://www.windowsecurity.com/articles/Alternate_Data_Streams.html

<http://www.heysoft.de/nt/ntfs-ads.htm> has a freeware utility called
LADS which scans drives or directories and displays the ADS.

 

[Daniel Mandic]

This is of course, anecdotal, from a sample size of one, but it seems
to me that FAT32 can cause more wear on a drive. Something to
consider when choosing filesystems. YMMV.

Even better is a non-multitasking OS, as it don?t write all the time
something.
Changing the Start-Partition (Pagefile) from time to time might help,
as I do. First time 2gig Fat16, 8gig NTFS NT etc. Second time 1gig
fat16, 8gig ntfs etc... Next time maybe 2x2gig Fat16, 8gig NTFS etc...
In short words, I change the pagefile.sys and other starting-files
positions (physically, of course).

R/W accesses on a cluster, block, sectors etc. are limited... I don?t
know how much, but it is limited.
I don?t think any Multitasking-OS is life-saving to a HD. From all I
know, I would say 2000 or XP is the softest to HD?s. Caching strategies
on and NTFS features....

All at all it is difficult to say which software-environment is the
best and longest for a HD. I see also DOS-HD?s breaking faster than a
NT one, maybe bez of doing too less . Though, mechanical-stress
(swapping) belongs to Win9x and co. ;-) Although I don?t count win9x to
the computer-OS?s. More as a Trial to connect weird hardware
together.

Changing the MBR-position could help (maybe at most) too, but
unfortunately not possible to change, so far I know. :-(




Best Regards,

Daniel Mandic

 

[John Corliss]

<http://www.heysoft.de/nt/ntfs-ads.htm> has a freeware utility called
LADS which scans drives or directories and displays the ADS.

Thanks for that »Q«! You get a genuine Mr. Burns "EHHHG-zelent!"

I'm on my way.

--
Regards from John Corliss
I don't reply to trolls and other such idiots. No adware, cdware,
commercial software, crippleware, demoware, nagware, PROmotionware,
shareware, spyware, time-limited software, trialware, viruses or warez
please.

 

[Klaatu]

Thanks for that »Q«! You get a genuine Mr. Burns "EHHHG-zelent!"

Interesting. I've been curious about these alternate data streams for a
while now. Here's an AutoIt (http://www.autoitscript.com) script I came
up with that will delete any ADS streams it finds in all files in any
folder and all its subfolders. It uses the technic described on the
webpage where lads.exe is distributed.

As noted, 2 freeware programs are used:

1) lads.exe from http://www.heysoft.de/nt/ntfs-ads.htm
2) cat.exe from http://unxutils.sourceforge.net/

Note that this script requires the BETA version of AutoIt; it will fail
with the current released version, but probably could be modified to work
if you're so inclined.

To catch wrapping, lines have been numbered. If a line doesn't start with
a number, it should be appended to the previous line. Removing the
numbers should leave you with a valid AutoIt script.

001. ; #NoTrayIcon
002. Opt("MustDeclareVars", 1)
003. Opt("TrayIconDebug", 1)
004.
005. ; Program to delete ADS (Alternate Data Streams) from files
006. ; on NTFS partitions
007. ;
008. ; two freeware programs used:
009. ;
010. ; 1) lads.exe from http://www.heysoft.de/nt/ntfs-ads.htm
011. ; this site also explains a lot about ADS.
012. ; 2) cat.exe as part of a zip file containing many Windows
013. ; ports of Unix commands at http://unxutils.sourceforge.net/
014. ;
015. ; if not using the compiled version of this script, be sure
016. ; to place the two exes in the same folder as the script file.
017. ;
018. ; If used, stub and stubloader are available through this thread
019. ; on AutoIt's web forums:
020. ; http://www.autoitscript.com/forum/index.php?s=&showtopic=17380
&view=findpost&p=119727
021.
022. Global Const $lads = "lads.exe"
023. Global Const $cat = "cat.exe"
024.
025. Global $bConsoleApp = False, $vCmdLine = $CmdLine
026. Global $bExitSet = False, $sExitMsg = ''
027.
028. CheckConsole($bConsoleApp, $vCmdLine)
029.
030. Main()
031. Exit
032.
033. ;
**********************************************************************
034. Func Main()
035. Local $i, $sOut, $iColon, $sPath, $sFile, $aOut, $sTempFile,
$sPrevFile = ''
036.
037. If Not FileExists(@ScriptDir & '\' & $lads) Then
038. If @Compiled Then
039. FileInstall("lads.exe", @ScriptDir & '\')
040. Else
041. MsgBox(0, @ScriptName, 'Needed file ' & _Quote($lads) & '
not found.')
042. Return
043. EndIf
044. EndIf
045. If Not FileExists(@ScriptDir & '\' & $cat) Then
046. If @Compiled Then
047. FileInstall("cat.exe", @ScriptDir & '\')
048. Else
049. MsgBox(0, @ScriptName, 'Needed file ' & _Quote($cat) & '
not found.')
050. Return
051. EndIf
052. EndIf
053.
054. If $vCmdLine[0] > 0 Then
055. $sPath = _UnQuote($vCmdLine[1])
056. Else
057. $sPath = @ScriptDir
058. EndIf
059. Print('Scanning ' & _Quote($sPath))
060. $sOut = _RunOut(_Quote(@ScriptDir & '\' & $lads) & ' ' & _Quote
($sPath) & ' /s', @WorkingDir, @SW_HIDE)
061. $aOut = StringSplit(StringStripCR($sOut), @LF)
062. For $i = 11 To UBound($aOut) - 3 ; account for header and footer
063. ; Print($aOut[$i])
064. $iColon = StringInStr($aOut[$i],':',0,-1) ; find last
occurance of colon
065. If $iColon > 15 Then
066. $sFile = StringMid($aOut[$i],13, $iColon - 13)
067. If ($sFile <> $sPrevFile) And FileExists($sFile) Then
068. Print($sFile)
069. $sTempFile = TempFile($sFile)
070. If FileMove($sFile, $sTempFile) Then
071. _RunDOS(_Quote(@ScriptDir & '\' & $cat) & ' ' &
_Quote($sTempFile) & ' >' & _Quote($sFile))
072. FileDelete($sTempFile)
073. Else
074. Print('Rename failed!: ' & _Quote($sFile) & ' to ' &
_Quote($sTempFile))
075. EndIf
076. $sPrevFile = $sFile
077. EndIf
078. EndIf
079. Next
080. EndFunc ;==>Main
081.
082. ;
**********************************************************************
083. ; Generate a name for a temporary file, making sure the file does
084. ; not already exist.
085. ;
**********************************************************************
086. Func TempFile($sFile)
087. Local $sTempName
088. Do
089. $sTempName = "~"
090. While StringLen($sTempName) < 3
091. $sTempName = $sTempName & Chr(Round(Random(97, 122), 0))
092. Wend
093. $sTempName = $sFile & "." & $sTempName
094. Until Not FileExists($sTempName)
095. Return ($sTempName)
096. EndFunc ;==>_TempFile
097.
098. ;
**********************************************************************
099. Func Print($sMsg)
100. If $bConsoleApp Then
101. ConsoleWrite(StringStripWS($sMsg, 3) & @LF)
102. Else
103. If Not $bExitSet Then
104. Opt("OnExitFunc", "PrintOnExit")
105. EndIf
106. $sExitMsg &= @LF & StringStripWS($sMsg, 3)
107. If @TrayIconVisible Then TrayTip(@ScriptName, $sMsg, 1, 1)
108. EndIf
109. EndFunc
110.
111. Func PrintOnExit()
112. If StringLen($sExitMsg) > 1 Then
113. MsgBox(0, @ScriptName, StringTrimLeft($sExitMsg, 1), 10)
114. EndIf
115. EndFunc
116.
117. ;
**********************************************************************
118. Func CheckConsole(ByRef $bConsoleApp, ByRef $vCmdLine)
119. Local $i
120. $bConsoleApp = False
121. If $vCmdLine[0] > 0 Then
122. If $vCmdLine[1] = '/console' Then
123. $bConsoleApp = True
124. $vCmdLine[0] -= 1
125. For $i = 1 To $vCmdLine[0]
126. $vCmdLine[$i] = $vCmdLine[$i+1]
127. Next
128. EndIf
129. EndIf
130. EndFunc
131.
132. ;
**********************************************************************
133. Func _Quote($sTheString, $sQuoteChar = '"')
134. Return ($sQuoteChar & $sTheString & $sQuoteChar)
135. EndFunc
136.
137. ;
**********************************************************************
138. ; Run a "DOS" command without showing any window.
139. ;
**********************************************************************
140. Func _RunDOS($sCommand)
141. Return RunWait(@ComSpec & ' /C' & $sCommand, @WorkingDir,
@SW_HIDE)
142. EndFunc ;==>_RunDOS
143.
144. ;
**********************************************************************
145. ; Run a command without showing any window.
146. ; Returns the output of the command.
147. ;
**********************************************************************
148. Func _RunOut($sCommand, $sWorkDir = @WorkingDir, $iShowMode =
@SW_HIDE)
149. Local $sResult = '', $iPID = Run($sCommand, $sWorkDir,
$iShowMode, 2)
150. While Not @error
151. $sResult &= StdoutRead($iPID)
152. Wend
153. Return $sResult
154. EndFunc;==>_RunOut
155.
156. ;
**********************************************************************
157. Func _UnQuote($sTheString, $sQuoteChar = '"')
158. If (StringLeft($sTheString, 1) = $sQuoteChar) And (StringRight
($sTheString, 1) = $sQuoteChar) Then
159. Return StringMid($sTheString, 2, (StringLen($sTheString) - 2))
160. Else
161. Return $sTheString
162. EndIf
163. EndFunc

As always with things like this, use at your own risk, yada yada yada,
don't blame me, yada yada yada. All I know is it works for me.

HTH

 

[badgolferman]

John,

Several months ago I made the move (kicking and screaming) to XPpro
from Win98se. I too chose NTFS, and after several months I'm sorry I
did. What I particularly don't like about it is not being able to use
a DOS boot floppy or CD to get access to the hard drives. I wasn't
aware of the vulnerability you mentioned, but that's another reason.

There are probably advantages to NTFS in a large networked environment
with many PCs and professional system administrators, but for my
situation with just 3 PCs on a home network, those advantages aren't
useful. If I had to do it all over again, I would stick with FAT-32.

I don't recall there being a choice in Setup to format to FAT32 for WXP
Professional. W2K Professional has that choice, but I am not sure of
WXP. However if you were upgrading from W98 and not doing a clean
install then that is different.

 

[CharlieDontSurf]

I don't recall there being a choice in Setup to format to FAT32 for WXP
Professional. W2K Professional has that choice, but I am not sure of
WXP. However if you were upgrading from W98 and not doing a clean
install then that is different.

It's an option (apologies for the URL wrap):

http://www.short-media.com/images/mm/Articles/hdd_setup_
2005/os_installation/winxp_setup_disk_06.jpg

 

[Sietse Fliege]

Thanks for that »Q«! You get a genuine Mr. Burns "EHHHG-zelent!"

Ehhm, that was easily earned!
The LADS utility was mentioned in the article you referred to above.

There's also good old Sysinternals Streams.exe
http://www.sysinternals.com/utilities/streams.html

And of course: e.g. Ad-Aware checks and logs Alternate Data Streams
See Configuration, Advanced
You may notice that its default setting is to ignore Inoculate-it ADS.
AV-programs like Incoulate-It sometimes use ADS (to store CRC with files)
Note also 'eTrust' mentioned in the article you referred to above.
And from Sysinternals:
http://www.sysinternals.com/utilities/rootkitrevealer.html
"There are also antivirus products, such as Kaspersky Antivirus, that use
rootkit techniques to hide data they store in NTFS alternate data streams."

So there is a mixture of things:

ADS can be usefull and be used on the OS level for various info and also by
third party programs to store things with a file like CRC (AV-programs),
thumbnails, version info, comments (you can add them yourself on the
properties page of a file and configure Explorer to show them) etc. that
stay with the file whem you move them.

But it can also be used to hide something, like info.
Ofcourse there are also many other ways to hide info, in files or somewhere
in the registry.
And many ways to hide processes: what about a trojan called notepad.exe
that shows up in taskmanager like, guess what, notepad.exe.

As mentioned, you can check for ADS with the tools above.
And (quoting the article John mentioned above):
"a third party file checksum application can effectively maintain the
integrity of an NTFS partition against unauthorized Alternate Data Streams."

I would rather claim to be a security-novice than an expert, but in my eyes
ADS, while it is used by some malware, does not pose too much of a threat.
The bulk of malware doesn't use it and you can protect yourself against the
ones that do with AV-apps, if you really think you need to.
In any case it is better from a security view to use NTFS, especially XP
Pro. To quote the summary of the article that John himself mentioned:
"the security features of NTFS far outweigh this potentially dangerous
vulnerability."

I hope that e.g. Aaron can shed more light on this, but I pray:
Let's keep this thread short.
Were supposed to discuss freeware here.

 

[Daniel Mandic]

I hope that e.g. Aaron can shed more light on this, but I pray:
Let's keep this thread short.
Were supposed to discuss freeware here.

Why not. You are describing primary things. Any Software is secondary
related to the OS. Why not helping a bit with Windows/MAc/Unix/Linux
etc. (and other OS) troubles, infos and so on.... makes freeware even
easier




Kind Regards,

Daniel Mandic

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Ehhm, that was easily earned!
The LADS utility was mentioned in the article you referred to
above.

Heh, I missed that. But I'll take my kudos where I can!

[big snip]

I hope that e.g. Aaron can shed more light on this, but I pray:
Let's keep this thread short.
Were supposed to discuss freeware here.

I agree. I'll just add that I agree with you about all the stuff I
snipped, but I'm no security expert either. My plan for keeping
malware from utilizing ADS is just to keep the malware off my computer,
which would be my plan with an ADS-less file system anyway.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Why not. You are describing primary things. Any Software is secondary
related to the OS. Why not helping a bit with Windows/MAc/Unix/Linux
etc. (and other OS) troubles, infos and so on.... makes freeware even
easier

Mostly because it turns the group into something more like
comp.general, whereas it should be about freeware. There are plenty of
other resources for info and help about filesystems, operating systems,
hardware, etc.

 

[John Corliss]

John,

Several months ago I made the move (kicking and screaming) to XPpro
from Win98se. I too chose NTFS, and after several months I'm sorry I
did. What I particularly don't like about it is not being able to use
a DOS boot floppy or CD to get access to the hard drives. I wasn't
aware of the vulnerability you mentioned, but that's another reason.

There are probably advantages to NTFS in a large networked environment
with many PCs and professional system administrators, but for my
situation with just 3 PCs on a home network, those advantages aren't
useful. If I had to do it all over again, I would stick with FAT-32.

Vic, have you looked at "Bart's PE"?

http://www.nu2.nu/pebuilder/

--
Regards from John Corliss
I don't reply to trolls and other such idiots. No adware, cdware,
commercial software, crippleware, demoware, nagware, PROmotionware,
shareware, spyware, time-limited software, trialware, viruses or warez
please.

 

[Vic Dura]

Vic, have you looked at "Bart's PE"?

http://www.nu2.nu/pebuilder/

No I haven't, but I'll check it out.

Thanks.

 

[John Corliss]

Ehhm, that was easily earned!
The LADS utility was mentioned in the article you referred to above.

That may be, but I'm kinda totally new to XP and dealing with
information overload at this point. 80)>

There's also good old Sysinternals Streams.exe
http://www.sysinternals.com/utilities/streams.html

Thanks for that. I'll download it now.

And of course: e.g. Ad-Aware checks and logs Alternate Data Streams
See Configuration, Advanced
You may notice that its default setting is to ignore Inoculate-it ADS.
AV-programs like Incoulate-It sometimes use ADS (to store CRC with files)
Note also 'eTrust' mentioned in the article you referred to above.
And from Sysinternals:
http://www.sysinternals.com/utilities/rootkitrevealer.html

Thanks. And FWIW, I've already downloaded that one and run it. Came up
clean (not surprising.)

"There are also antivirus products, such as Kaspersky Antivirus, that use
rootkit techniques to hide data they store in NTFS alternate data streams."

So there is a mixture of things:

ADS can be usefull and be used on the OS level for various info and also by
third party programs to store things with a file like CRC (AV-programs),
thumbnails, version info, comments (you can add them yourself on the
properties page of a file and configure Explorer to show them) etc. that
stay with the file whem you move them.

But it can also be used to hide something, like info.
Ofcourse there are also many other ways to hide info, in files or somewhere
in the registry.
And many ways to hide processes: what about a trojan called notepad.exe
that shows up in taskmanager like, guess what, notepad.exe.

As mentioned, you can check for ADS with the tools above.
And (quoting the article John mentioned above):
"a third party file checksum application can effectively maintain the
integrity of an NTFS partition against unauthorized Alternate Data Streams."

I would rather claim to be a security-novice than an expert, but in my eyes
ADS, while it is used by some malware, does not pose too much of a threat.
The bulk of malware doesn't use it and you can protect yourself against the
ones that do with AV-apps, if you really think you need to.
In any case it is better from a security view to use NTFS, especially XP
Pro. To quote the summary of the article that John himself mentioned:
"the security features of NTFS far outweigh this potentially dangerous
vulnerability."

I hope that e.g. Aaron can shed more light on this, but I pray:
Let's keep this thread short.
Were supposed to discuss freeware here.

I agree somewhat, but you mentioned AdAware, Systinternals Rootkit
Revealer, »Q« mentioned "LADS" etc. etc. This has still been pretty much
a freeware related thread.

--
Regards from John Corliss
I don't reply to trolls and other such idiots. No adware, cdware,
commercial software, crippleware, demoware, nagware, PROmotionware,
shareware, spyware, time-limited software, trialware, viruses or warez
please.

 

[Sietse Fliege]

Sietse Fliege wrote:

I agree somewhat, but you mentioned AdAware, Systinternals Rootkit
Revealer, »Q« mentioned "LADS" etc. etc. This has still been pretty
much a freeware related thread.

Yes, I did not word this well.
I just didn't want to appear to be inviting everybody to join in a NTFS
discussion.

 

[Renan]

CharlieDontSurf escreveu:

FWIW, I have a single PC with 2 drives of identical make, model and
size. All partitions are NTFS, save a large FAT32 partition on the
secondary drive.

I have a single 80GB (real size: 75GB) hard drive with:

- 20GB partition for system/software/files larger than 4GB (NTFS)
- 50GB partition for files (documents, music, video, download...)
(FAT32)
- 540MB partition for temporary files and swap file* (FAT16)

* since I have 512MB RAM, the swap file rarely seems to get used.

An advantage of having my files partition in FAT32 is that, if I need to
boot using a Linux Live-CD, the partition is easily read/write
accessible.

Accessing the FAT32 partition is always accompanied with the loud
extended clatter of disk head repositioning. The NTFS partitions in
contrast, are markedly quieter and faster. Spinup from powerdown is also
noisier and longer on the second drive.

Try defragmenting the FAT32 partition.
This used to help me when I used Windows 98 on a FAT32 partition.
With NTFS, however, I don't need to defrag that much.

This is of course, anecdotal, from a sample size of one, but it seems to
me that FAT32 can cause more wear on a drive. Something to consider when
choosing filesystems. YMMV.

I don't think so, as I know web/database servers that have large
documents/databases with heavy access.

I think that hard drives have a MTBF (?) which represents years of
continuous use.

 

[CharlieDontSurf]

An advantage of having my files partition in FAT32 is that, if I need to
boot using a Linux Live-CD, the partition is easily read/write
accessible.

I have a couple of Linux partitions. I keep a FAT32 partition for data
sharing, too.

Try defragmenting the FAT32 partition.
This used to help me when I used Windows 98 on a FAT32 partition.
With NTFS, however, I don't need to defrag that much.

It is defragmented, regularly.

I don't think so, as I know web/database servers that have large
documents/databases with heavy access.

And if those servers used NTFS instead, the drives will probably last
even longer. The click-SKROOOOOONK I get when opening a non-cached part
of the FAT partition is a pretty good indication of a head seek workout,
compared to the quiet zzzt from any other parts of the drives.

 

[John Corliss]

CharlieDontSurf escreveu:


I have a single 80GB (real size: 75GB) hard drive with:

- 20GB partition for system/software/files larger than 4GB (NTFS)
- 50GB partition for files (documents, music, video, download...)
(FAT32)
- 540MB partition for temporary files and swap file* (FAT16)

* since I have 512MB RAM, the swap file rarely seems to get used.

This is nice to know, since I just upgraded this computer to 512 mb of ram.

An advantage of having my files partition in FAT32 is that, if I need to
boot using a Linux Live-CD, the partition is easily read/write
accessible.

My plan is to simply back up my data files to DVD and then copy them to
the dedicated Linux hard drive (which I've already set up with SuSE.)

Try defragmenting the FAT32 partition.
This used to help me when I used Windows 98 on a FAT32 partition.
With NTFS, however, I don't need to defrag that much.




I don't think so, as I know web/database servers that have large
documents/databases with heavy access.

I think that hard drives have a MTBF (?) which represents years of
continuous use.

Along those lines, the hard drives used in servers are usually of a much
higher quality than those used in home computers. They have a much
higher MTBF.

--
Regards from John Corliss
I don't reply to trolls and other such idiots. No adware, cdware,
commercial software, crippleware, demoware, nagware, PROmotionware,
shareware, spyware, time-limited software, trialware, viruses or warez
please.

 

[John Corliss]

Yes, I did not word this well.
I just didn't want to appear to be inviting everybody to join in a NTFS
discussion.

I certainly agree with that. A far more appropriate group for discussion
of NTFS is microsoft.public.windowsxp.general

Be advised though everybody (I'm sure Sietse knows this) that the group
is a VERY active one - about three times the daily volume of posts that
this group gets. And the MVPs there really know what they're talking about.

--
Regards from John Corliss
I don't reply to trolls and other such idiots. No adware, cdware,
commercial software, crippleware, demoware, nagware, PROmotionware,
shareware, spyware, time-limited software, trialware, viruses or warez
please.